Enterprise reputations for uniform resource locators

ABSTRACT

There is disclosed in an example a computing apparatus configured to operate as an enterprise threat intelligence server, and including: a network interface configured to communicatively couple to a network; and one or more logic elements providing a reputation engine, operable for: receiving a first uniform resource locator (URL) identifier; determining that a first URL identified by the first URL identifier has an unknown enterprise reputation; and establishing a baseline reputation for the URL. There is further disclosed a method of providing the reputation engine, and one or more computer-readable mediums having stored thereon executable instructions for providing the reputation engine.

FIELD OF THE SPECIFICATION

This disclosure relates in general to the field of computer security,and more particularly, though not exclusively to, a system and methodfor assigning enterprise-level reputations for uniform resourcelocators.

BACKGROUND

A uniform resource locator (URL) is a unique identifier for accessing anetwork resource, such as a website. In general practice, a URL has twoparts: a scheme and an address. These may be separated by a colon andtwo forward slashes. For example, the URL “http://www.uspto.gov”includes the scheme “http,” meaning that the resource is accessed viathe hypertext transfer protocol (HTTP). The resource is the subdomain“www” on the domain “uspto” within the “gov” top-level domain (TLD),which is reserved primarily for U.S. government agencies.

URLs may also include a path within the domain or subdomain. Forexample, the URLhttp://www.uspto.gov/patents-application-process/file-online points tothe path “patents-application-process/file-online on the www.uspto.govserver.

BRIEF DESCRIPTION OF THE DRAWINGS

The present disclosure is best understood from the following detaileddescription when read with the accompanying figures. It is emphasizedthat, in accordance with the standard practice in the industry, variousfeatures are not necessarily drawn to scale, and are used forillustration purposes only. Where a scale is shown, explicitly orimplicitly, it provides only one illustrative example. In otherembodiments, the dimensions of the various features may be arbitrarilyincreased or reduced for clarity of discussion.

FIG. 1a is a block diagram of a security-enabled network according toone or more examples of the present specification.

FIG. 1b is a block diagram illustrating additional details of thenetwork of FIG. 1 a.

FIG. 2 is a block diagram of a client device according to one or moreexamples of the present specification.

FIG. 3 is a block diagram of a server device according to one or moreexamples of the present specification.

FIG. 4 is a flow chart of a generic cache expiry workflow according toone or more examples of the present specification.

FIGS. 5a and 5b are a flow chart of an enterprise gateway (EGW) lookingup a URL reputation according to one or more examples of the presentspecification.

FIGS. 6a and 6b are a flow chart of an enterprise threat intelligenceserver (ETIS) updating a URL reputation according to one or moreexamples of the present specification.

FIG. 7 is a flowchart of a reputation update workflow.

SUMMARY

There is disclosed in an example a computing apparatus configured tooperate as an enterprise threat intelligence server, and including: anetwork interface configured to communicatively couple to a network; andone or more logic elements providing a reputation engine, operable for:receiving a first uniform resource locator (URL) identifier; determiningthat a first URL identified by the first URL identifier has an unknownenterprise reputation; and establishing a baseline reputation for theURL. There is further disclosed a method of providing the reputationengine, and one or more computer-readable mediums having stored thereonexecutable instructions for providing the reputation engine.

Embodiments of the Disclosure

The following disclosure provides many different embodiments, orexamples, for implementing different features of the present disclosure.Specific examples of components and arrangements are described below tosimplify the present disclosure. These are, of course, merely examplesand are not intended to be limiting. Further, the present disclosure mayrepeat reference numerals and/or letters in the various examples. Thisrepetition is for the purpose of simplicity and clarity and does not initself dictate a relationship between the various embodiments and/orconfigurations discussed. Different embodiments many have differentadvantages, and no particular advantage is necessarily required of anyembodiment.

The named inventors herein have recognized that enterprise security isan ever-evolving architecture that must adapt to address new threats andvulnerabilities. In certain existing models, enterprises encountervarious “security objects” (as described in more detail below). As anetwork device encounters an object, a client security agent may requesta reputation for the object, and act appropriately, including takingremedial action as necessary.

Object reputations may, as a first line of defense, come from a globalsecurity services provider, such as McAfee, Inc. The security servicesprovider may operate a global threat intelligence server (GTIS) 192 toprovide a global threat intelligence service, which compiles andcharacterizes a large database of security objects, assigning each areputation based on what is known about it.

In an example GTIS 192 may handle external internet based requests andmerge the data sources/logging with ETIS 146 in a scalable and latencyfriendly manner

However, not every object has the same impact on every enterprise. Anobject that is benign or beneficial to one enterprise may be harmful toanother. To provide just one example, when the “enterprise” is a homenetwork, online games may be benign. But to a for-profit enterprise, thesame online games may be restricted by network policy to avoid timewasting.

Thus, the enterprise itself may also operate an enterprise threatintelligence server (ETIS) 146 to provide an enterprise threatintelligence service. ETIS 146 may be configured by an administrator 150to handle specific network conditions for protected enterprise 100.

In an example, ETIS 146 is specifically configured to provide URLreputations. This may extend and expand on the GTIS “cloud”-basedreputation and URL categories beyond the traditional usage of querying areputation and returning a response. The additional functionality mayinclude the following, by way of nonlimiting example:

-   -   a. Reducing the cost of querying the cloud through a “proxying”        function within ETIS 146.    -   b. Setting administrator overrides to identify URLs and domains        that are either trusted or malicious.    -   c. Indicator of compromise (IoC) support.    -   d. Improved client protection for file based execution that is        linked to URLs.    -   e. Improved telemetry metadata sent to the cloud allowing        building support in GTIS 192 for grey list management for URLs.    -   f. Providing support to enhanced algorithms for blocking URLs or        preventing false positives.    -   g. Normalization of URL reputation into an existing ETIS        reputation format (e.g., 0-100) to ensure consistency.

In an example, ETIS 146 stores both URL reputation and category values,as well as allowing those to be administratively overridden.

In an example, ETIS 146 queries GTIS 192 for a URL reputation. However,additional functionality is expected to be enabled as TIE administratorsmay choose to override specific URL reputations, use third party feedsor may integrate with other products. The order of precedence in termsof determining which source of URL reputation information should bevalued first may also be considered.

GTIS 192 or ETIS 146 may also provide external reputation refreshes. Forexample, unknown or non-deterministic reputations may be refreshedperiodically on ETIS 146. The intervals and timescales can changedepending on the classification or prevalence for example. This providespotential threat events for historical activity. An optimization mayinclude a domain level check in which the domain may have a maliciousURL marker to notify the requesting entity that one or more bad URLs areassociated with an otherwise benign domain. ETIS 146 may cache domainlevel markers, thus eliminating superfluous refreshes, where there is norelevant URL reputation associated to a domain. This could also be anoptimization at initial analysis time. If it is know that there is nountrusted or “bad” URL for a domain, the system may asynchronouslycollect the URLs from the session and send them in a single bulktransaction. This may help to improve latencies and overall performancefor endpoints, servers, and cloud services.

A system and method according to the present specification will now bedescribed with more particular reference to the attached figures.Throughout the figures, common labels are intended to refer to common orsimilar elements, though this is not intended to imply a particularrelationship between the various views and figures. In some instances, ahyphenated label (such as 10-2 or 10-2) may be used to refer to anexample or species of a generic element 10.

FIG. 1A is a network-level diagram of a secured enterprise 100 accordingto one or more examples of the present specification. In the example ofFIG. 1A, one or more users 120 operate one or more client devices 110.Each device may include an appropriate operating system, such asMicrosoft Windows, Linux, Android, Mac OSX, Apple iOS, Unix, or similar.Some of the foregoing may be more often used on one type of device thananother. For example, desktop computers or engineering workstation maybe more likely to use one of Microsoft Windows, Linux, Unix, or Mac OSX.Laptop computers, which are usually a portable off-the-shelf device withfewer customization options, may be more likely to run Microsoft Windowsor Mac OSX. Mobile devices may be more likely to run Android or iOS.However, these examples are not intended to be limiting.

Client devices 110 may be communicatively coupled to one another and toother network resources via enterprise network 170. Enterprise network170 may be any suitable network or combination of one or more networksoperating on one or more suitable networking protocols, including forexample, a local area network, an intranet, a virtual network, a widearea network, a wireless network, a cellular network, or the Internet(optionally accessed via a proxy, virtual machine, or other similarsecurity mechanism) by way of nonlimiting example. Enterprise network170 may also include one or more servers, firewalls, routers, switches,security appliances, antivirus servers, or other useful network devices,which in an example may be virtualized within enterprise servers 142. Inthis illustration, enterprise network 170 is shown as a single networkfor simplicity, but in some embodiments, enterprise network 170 mayinclude a large number of networks, such as one or more enterpriseintranets connected to the internet. Enterprise network 170 may alsoprovide access to an external network, such as the Internet, viaexternal network 172. External network 172 may similarly be any suitabletype of network.

Enterprise servers 142 may be provided, for example as a virtual clusterrunning in a hypervisor on a plurality of rack-mounted blade servers, oras a cluster of physical servers. Enterprise servers 142 may provide oneor more server functions, or one or more “microclouds” in one or morehypervisors. For example, a virtualization environment such as vCentermay provide the ability to define a plurality of “tenants,” with eachtenant being functionally separate from each other tenant, and eachtenant operating as a single-purpose microcloud. Each microcloud mayserve a distinctive function, and may include a plurality of virtualmachines (VMs) of many different flavors, including agentful andagentless VMs. It should also be noted that some functionality ofendpoint devices 120 may also be provided via enterprise servers 142.For example, one microcloud may provide a remote desktop hypervisor suchas a Citrix workspace, which allows users 120 operating endpoints 120 toremotely login to a remote enterprise desktop and access enterpriseapplications, workspaces, and data. In that case, endpoint 120 could bea “thin client” such as a Google Chromebook, running only astripped-down operating system, and still provide user 120 useful accessto enterprise resources.

One or more computing devices configured as a management console 140 mayalso operate on enterprise network 170. Management console 140 mayprovide a user interface for a security administrator 150 to defineenterprise security policies, which management console 140 may enforceon enterprise network 170 and across client devices 110 and enterpriseservers 142. In an example, management console 140 may run aserver-class operating system, such as Linux, Unix, or Windows Server.In other case, management console 140 may be provided as a webinterface, on a desktop-class machine, or via a VM provisioned withinenterprise servers 142.

Secured enterprise 100 may encounter a variety of “security objects” onthe network. A security object may be any object that operates on orinteracts with enterprise network 170 and that has actual or potentialsecurity implications. In one example, security objects may be broadlydivided into hardware objects, including any physical device thatcommunicates with or operates via the network, and software objects.Software objects may be further subdivided as “executable objects” and“static objects.” Executable objects include any object that canactively execute code or operate autonomously, such as applications,drivers, programs, executables, libraries, processes, runtimes, scripts,macros, binaries, interpreters, interpreted language files,configuration files with inline code, embedded code, and firmwareinstructions by way of non-limiting example. A static object may bebroadly designated as any object that is not an executable object orthat cannot execute, such as documents, pictures, music files, textfiles, configuration files without inline code, videos, and drawings byway of non-limiting example. In some cases, hybrid software objects mayalso be provided, such as for example a word processing document withbuilt-in macros or an animation with inline code. For security purposes,these may be considered as a separate class of software object, or maysimply be treated as executable objects.

Secured enterprise 100 may communicate across enterprise boundary 104with external network 172. Enterprise boundary 104 may represent aphysical, logical, or other boundary. External network 172 may include,for example, websites, servers, network protocols, and othernetwork-based services. In one example, an application repository 160 isavailable via external network 172, and an attacker 180 (or othersimilar malicious or negligent actor) also connects to external network172. A security services provider 190 may provide services to securedenterprise 100.

It may be a goal of users 120 and secure enterprise 100 to successfullyoperate client devices 110 and enterprise servers 142 withoutinterference from attacker 180 or from unwanted security objects. In oneexample, attacker 180 is a malware author whose goal or purpose is tocause malicious harm or mischief, for example by injecting maliciousobject 182 into client device 110. Once malicious object 182 gainsaccess to client device 110, it may try to perform work such as socialengineering of user 120, a hardware-based attack on client device 110,modifying storage 350 (FIG. 3), modifying client application 122 (whichmay be running in memory), or gaining access to enterprise servers 142.

The malicious harm or mischief may take the form of installing root kitsor other malware on client devices 110 to tamper with the system,installing spyware or adware to collect personal and commercial data,defacing websites, operating a botnet such as a spam server, or simplyto annoy and harass users 120. Thus, one aim of attacker 180 may be toinstall his malware on one or more client devices 110. As usedthroughout this specification, malicious software (“malware”) includesany security object configured to provide unwanted results or dounwanted work. In many cases, malware objects will be executableobjects, including by way of non-limiting examples, viruses, trojans,zombies, rootkits, backdoors, worms, spyware, adware, ransomware,dialers, payloads, malicious browser helper objects, tracking cookies,loggers, or similar objects designed to take a potentially-unwantedaction, including by way of non-limiting example data destruction,covert data collection, browser hijacking, network proxy or redirection,covert tracking, data logging, keylogging, excessive or deliberatebarriers to removal, contact harvesting, and unauthorizedself-propagation.

Attacker 180 may also want to commit industrial or other espionageagainst secured enterprise 100, such as stealing classified orproprietary data, stealing identities, or gaining unauthorized access toenterprise resources. Thus, attacker 180's strategy may also includetrying to gain physical access to one or more client devices 110 andoperating them without authorization, so that an effective securitypolicy may also include provisions for preventing such access.

In another example, a software developer may not explicitly havemalicious intent, but may develop software that poses a security risk.For example, a well-known and often-exploited security flaw is theso-called buffer overrun, in which a malicious user is able to enter anoverlong string into an input form and thus gain the ability to executearbitrary instructions or operate with elevated privileges on acomputing device. Buffer overruns may be the result, for example, ofpoor input validation or use of insecure libraries, and in many casesarise in nonobvious contexts. Thus, although not malicious himself, adeveloper contributing software to application repository 160 mayinadvertently provide attack vectors for attacker 180. Poorly-writtenapplications may also cause inherent problems, such as crashes, dataloss, or other undesirable behavior. Because such software may bedesirable itself, it may be beneficial for developers to occasionallyprovide updates or patches that repair vulnerabilities as they becomeknown. However, from a security perspective, these updates and patchesare essentially new objects that must themselves be validated.

Application repository 160 may represent a Windows or Apple “app store”or update service, a Unix-like repository or ports collection, or othernetwork service providing users 120 the ability to interactively orautomatically download and install applications on client devices 110.If application repository 160 has security measures in place that makeit difficult for attacker 180 to distribute overtly malicious software,attacker 180 may instead stealthily insert vulnerabilities intoapparently-beneficial applications.

In some cases, secured enterprise 100 may provide policy directives thatrestrict the types of applications that can be installed fromapplication repository 160. Thus, application repository 160 may includesoftware that is not negligently developed and is not malware, but thatis nevertheless against policy. For example, some enterprises restrictinstallation of entertainment software like media players and games.Thus, even a secure media player or game may be unsuitable for anenterprise computer. Security administrator 150 may be responsible fordistributing a computing policy consistent with such restrictions andenforcing it on client devices 110.

Secured enterprise 100 may also contract with or subscribe to a securityservices provider 190, which may provide security services, updates,antivirus definitions, patches, products, and services. McAfee®, Inc. isa non-limiting example of such a security services provider that offerscomprehensive security and antivirus solutions. In some cases, securityservices provider 190 may include a threat intelligence capability suchas the global threat intelligence (GTI™) database provided by McAfeeInc. Security services provider 190 may update its threat intelligencedatabase by analyzing new candidate malicious objects as they appear onclient networks and characterizing them as malicious or benign.

In another example, secured enterprise 100 may simply be a family, withparents assuming the role of security administrator 150. The parents maywish to protect their children from undesirable content, such aspornography, adware, spyware, age-inappropriate content, advocacy forcertain political, religious, or social movements, or forums fordiscussing illegal or dangerous activities, by way of non-limitingexample. In this case, the parent may perform some or all of the dutiesof security administrator 150.

When a new object is first encountered on the network, security policiesmay initially treat it as “gray” or “suspect.” As a first line ofdefense, a security appliance in cluster 142 may query security servicesprovider 190 to see if the new object has a globally-recognizedreputation. If so, a local reputation may be generated based on thatglobal reputation. If not, the object is completely new and may betreated as a “candidate malicious object,” meaning that its status isunknown, and it may therefore be a malicious object. At a minimum, thenew object may be proscribed in its access to protected resources untilits reputation can be established. This may mean that extra permissionfrom a user 120 or security administrator 150 is required for thecandidate malicious object to access protected resources.

The candidate malicious object may also be subjected to additionalrigorous security analysis, particularly if it is a new object with noglobal reputation, or if it is an executable object. This may include,for example, submitting the object to an internal security audit, or tosecurity services provider 190, for deep analysis. This may includerunning the object in a sandbox environment, expert status analysis, orother security techniques. These may help to establish a new reputationfor the object.

If the object is permitted to operate on the network and maliciousbehavior is observed, the object may be tagged as malicious object 182.Remedial action may then be taken as appropriate or necessary. Thus, itis a goal of users 120 and security administrator 150 to configure andoperate client devices 110, enterprise servers 142, and enterprisenetwork 170 so as to exclude all malicious objects, and to promptly andaccurately classify candidate malicious objects.

FIG. 1B illustrates additional details of the network of FIG. 1A. InFIG. 1B, several devices are illustrated performing discrete functions.It should be understood, however, that these are logical functions, andare not intended to require a particular physical configuration ornetwork layout. In various embodiments, a single physical device mayprovide multiple logical functions, while in the same or differentembodiments, a logical function may be split between multiple physicaldevices. It should also be understood that one or more of the functionsdescribed herein may be provided by a single-purpose appliance, or by avirtual appliance operating on enterprise servers 142.

In this example, enterprise network 170 is managed by an enterprisegateway 144 (EGW), which provides gateway services for devices, such asclient devices 110, connected to enterprise network 170. Enterprisedevices communicatively couple to external devices via external network172, which may be the Internet.

In an example, client device 110 requests a URL, such as by a user 120operating a web browser. This request traverses enterprise network 170,and is sent out to external network 172 to external site server 162,which in this example hosts the requested URL.

As described in more detail in connection with FIGS. 5A and 5B, EGW 144checks to see if it has a cached reputation for the URL. If it has anexisting cached reputation, then it may make appropriate decisions aboutwhat to do with the request based on the reputation. For example, if thereputation is “trusted,” the request is allowed. If the reputation is“untrusted,” the request may be blocked. If the reputation is “gray,”then additional action may be necessary.

If EGW 144 does not have a valid cached reputation for the URL, then itmay request a reputation from enterprise threat intelligence server(ETIS) 146. ETIS 146 may be configured with appropriate rules foranalyzing URLs and assigning appropriate reputations.

FIG. 2 is a block diagram of client device 200 according to one or moreexamples of the present specification. Computing device 200 may be anysuitable computing device. In various embodiments, a “computing device”may be or comprise, by way of non-limiting example, a computer,workstation, server, mainframe, virtual machine (whether emulated or ona “bare-metal” hypervisor), embedded computer, embedded controller,embedded sensor, personal digital assistant, laptop computer, cellulartelephone, IP telephone, smart phone, tablet computer, convertibletablet computer, computing appliance, network appliance, receiver,wearable computer, handheld calculator, or any other electronic,microelectronic, or microelectromechanical device for processing andcommunicating data. Any computing device may be designated as a host onthe network. Each computing device may refer to itself as a “localhost,” while any computing device external to it may be designated as a“remote host.”

In certain embodiments, client devices 110 may all be examples ofcomputing devices 200.

Computing device 200 includes a processor 210 connected to a memory 220,having stored therein executable instructions for providing an operatingsystem 222 and at least software portions of a security agent 224. Othercomponents of client device 200 include a storage 250, network interface260, and peripheral interface 240. This architecture is provided by wayof example only, and is intended to be non-exclusive and non-limiting.Furthermore, the various parts disclosed are intended to be logicaldivisions only, and need not necessarily represent physically separatehardware and/or software components. Certain computing devices providemain memory 220 and storage 250, for example, in a single physicalmemory device, and in other cases, memory 220 and/or storage 250 arefunctionally distributed across many physical devices. In the case ofvirtual machines or hypervisors, all or part of a function may beprovided in the form of software or firmware running over avirtualization layer to provide the disclosed logical function. In otherexamples, a device such as a network interface 260 may provide only theminimum hardware interfaces necessary to perform its logical operation,and may rely on a software driver to provide additional necessary logic.Thus, each logical block disclosed herein is broadly intended to includeone or more logic elements configured and operable for providing thedisclosed logical operation of that block. As used throughout thisspecification, “logic elements” may include hardware, external hardware(digital, analog, or mixed-signal), software, reciprocating software,services, drivers, interfaces, components, modules, algorithms, sensors,components, firmware, microcode, programmable logic, or objects that cancoordinate to achieve a logical operation.

In an example, processor 210 is communicatively coupled to memory 220via memory bus 270-3, which may be for example a direct memory access(DMA) bus by way of example, though other memory architectures arepossible, including ones in which memory 220 communicates with processor210 via system bus 270-1 or some other bus. Processor 210 may becommunicatively coupled to other devices via a system bus 270-1. As usedthroughout this specification, a “bus” includes any wired or wirelessinterconnection line, network, connection, bundle, single bus, multiplebuses, crossbar network, single-stage network, multistage network orother conduction medium operable to carry data, signals, or powerbetween parts of a computing device, or between computing devices. Itshould be noted that these uses are disclosed by way of non-limitingexample only, and that some embodiments may omit one or more of theforegoing buses, while others may employ additional or different buses.

In various examples, a “processor” may include any combination of logicelements operable to execute instructions, whether loaded from memory,or implemented directly in hardware, including by way of non-limitingexample a microprocessor, digital signal processor, field-programmablegate array, graphics processing unit, programmable logic array,application-specific integrated circuit, or virtual machine processor.In certain architectures, a multi-core processor may be provided, inwhich case processor 210 may be treated as only one core of a multi-coreprocessor, or may be treated as the entire multi-core processor, asappropriate. In some embodiments, one or more co-processor may also beprovided for specialized or support functions.

Processor 210 may be connected to memory 220 in a DMA configuration viaDMA bus 270-3. To simplify this disclosure, memory 220 is disclosed as asingle logical block, but in a physical embodiment may include one ormore blocks of any suitable volatile or non-volatile memory technologyor technologies, including for example DDR RAM, SRAM, DRAM, cache, L1 orL2 memory, on-chip memory, registers, flash, ROM, optical media, virtualmemory regions, magnetic or tape memory, or similar. In certainembodiments, memory 220 may comprise a relatively low-latency volatilemain memory, while storage 250 may comprise a relatively higher-latencynon-volatile memory. However, memory 220 and storage 250 need not bephysically separate devices, and in some examples may represent simply alogical separation of function. It should also be noted that althoughDMA is disclosed by way of non-limiting example, DMA is not the onlyprotocol consistent with this specification, and that other memoryarchitectures are available.

Storage 250 may be any species of memory 220, or may be a separatedevice. Storage 250 may include one or more non-transitorycomputer-readable mediums, including by way of non-limiting example, ahard drive, solid-state drive, external storage, redundant array ofindependent disks (RAID), network-attached storage, optical storage,tape drive, backup system, cloud storage, or any combination of theforegoing. Storage 250 may be, or may include therein, a database ordatabases or data stored in other configurations, and may include astored copy of operational software such as operating system 222 andsoftware portions of security agent 224. Many other configurations arealso possible, and are intended to be encompassed within the broad scopeof this specification.

Network interface 260 may be provided to communicatively couple clientdevice 200 to a wired or wireless network. A “network,” as usedthroughout this specification, may include any communicative platformoperable to exchange data or information within or between computingdevices, including by way of non-limiting example, an ad-hoc localnetwork, an internet architecture providing computing devices with theability to electronically interact, a plain old telephone system (POTS),which computing devices could use to perform transactions in which theymay be assisted by human operators or in which they may manually keydata into a telephone or other suitable electronic equipment, any packetdata network (PDN) offering a communications interface or exchangebetween any two nodes in a system, or any local area network (LAN),metropolitan area network (MAN), wide area network (WAN), wireless localarea network (WLAN), virtual private network (VPN), intranet, or anyother appropriate architecture or system that facilitates communicationsin a network or telephonic environment.

Security agent 224, in one example, is operable to carry outcomputer-implemented methods as described in this specification.Security agent 224 may include one or more tangible non-transitorycomputer-readable mediums having stored thereon executable instructionsoperable to instruct a processor to provide a security agent 224. Asused throughout this specification, an “engine” includes any combinationof one or more logic elements, of similar or dissimilar species,operable for and configured to perform one or more methods provided bythe engine. Thus, security agent 224 may comprise one or more logicelements configured to provide methods as disclosed in thisspecification. In some cases, security agent 224 may include a specialintegrated circuit designed to carry out a method or a part thereof, andmay also include software instructions operable to instruct a processorto perform the method. In some cases, security agent 224 may run as a“daemon” process. A “daemon” may include any program or series ofexecutable instructions, whether implemented in hardware, software,firmware, or any combination thereof, that runs as a background process,a terminate-and-stay-resident program, a service, system extension,control panel, bootup procedure, BIOS subroutine, or any similar programthat operates without direct user interaction. In certain embodiments,daemon processes may run with elevated privileges in a “driver space,”or in ring 0, 1, or 2 in a protection ring architecture. It should alsobe noted that security agent 224 may also include other hardware andsoftware, including configuration files, registry entries, andinteractive or user-mode software by way of non-limiting example.

In one example, security agent 224 includes executable instructionsstored on a non-transitory medium operable to perform a method accordingto this specification. At an appropriate time, such as upon bootingclient device 200 or upon a command from operating system 222 or a user120, processor 210 may retrieve a copy of the instructions from storage250 and load it into memory 220. Processor 210 may then iterativelyexecute the instructions of security agent 224 to provide the desiredmethod.

Security agent 224 may be adapted to provide security services forclient devices 200. This may include antivirus, antimalware, and othersimilar services consistent with this specification. These may furtherinclude enforcing URL reputation policies for enterprise 100. Forexample, when client device 200 encounters a URL, or when a userattempts to download a file from a URL, security agent 224 may takeappropriate action to allow or block the attempt. In some cases,security agent 224 may need to request a reputation for the URL beforeacting. In other cases, enforcement is decentralized. For example, whenclient device 200 attempts to access a URL, the request may necessarilypass through EGW 144, which enforces the policy at its end.

In some embodiments security agent 224 requests a reputation whenever itencounters a new object, such as a URL. The response may include areputation, as well as a TTL. Client device 200 may then cache thereputation until the TTL expires, at which case it purges the stalereputation. In other embodiments, an enterprise service bus (ESB), suchas McAfee's data exchange layer (DXL) may be provided with apublish-subscribe framework. In that case, client device 200 maysubscribe to reputation updates on the ESB, and may cache reputations asthey are published.

Peripheral interface 240 may be configured to interface with anyauxiliary device that connects to client device 200 but that is notnecessarily a part of the core architecture of client device 200. Aperipheral may be operable to provide extended functionality to clientdevice 200, and may or may not be wholly dependent on client device 200.In some cases, a peripheral may be a computing device in its own right.Peripherals may include input and output devices such as displays,terminals, printers, keyboards, mice, modems, data ports (e.g., serial,parallel, USB, Firewire, or similar), network controllers, opticalmedia, external storage, sensors, transducers, actuators, controllers,data acquisition buses, cameras, microphones, speakers, or externalstorage by way of non-limiting example.

In one example, peripherals include display adapter 242, audio driver244, and input/output (I/O) driver 246. Display adapter 242 may beconfigured to provide a human-readable visual output, such as acommand-line interface (CLI) or graphical desktop such as MicrosoftWindows, Apple OSX desktop, or a Unix/Linux X Window System-baseddesktop. Display adapter 242 may provide output in any suitable format,such as a coaxial output, composite video, component video, VGA, ordigial outputs such as DVI or HDMI, by way of nonlimiting example. Insome examples, display adapter 242 may include a hardware graphics card,which may have its own memory and its own graphics processing unit(GPU). Audio driver 244 may provide an interface for audible sounds, andmay include in some examples a hardware sound card. Sound output may beprovided in analog (such as a 3.5 mm stereo jack), component (“RCA”)stereo, or in a digital audio format such as S/PDIF, AES3, AES47, HDMI,USB, Bluetooth or Wi-Fi audio, by way of non-limiting example.

FIG. 3 is a block diagram of a server-class device 300 according to oneor more examples of the present specification. Server 300 may be anysuitable computing device, as described in connection with FIG. 2. Ingeneral, the definitions and examples of FIG. 2 may be considered asequally applicable to FIG. 3, unless specifically stated otherwise.Server 300 is described herein separately to illustrate that in certainembodiments, logical operations according to this specification may bedivided along a client-server model, wherein client device 200 providescertain localized tasks, while server 300 provides certain othercentralized tasks. In contemporary practice, server 300 is more likelythan client device 200 to be provided as a “headless” VM running on acomputing cluster, or as a standalone appliance, though theseconfigurations are not required.

Server 300 includes a processor 310 connected to a memory 320, havingstored therein executable instructions for providing an operating system322 and at least software portions of a reputation server engine 324.Other components of server 300 include a storage 350, network interface360, and peripheral interface 340. As described in FIG. 2, each logicalblock may be provided by one or more similar or dissimilar logicelements.

In an example, processor 310 is communicatively coupled to memory 320via memory bus 370-3, which may be for example a direct memory access(DMA) bus. Processor 310 may be communicatively coupled to other devicesvia a system bus 370-1.

Processor 310 may be connected to memory 320 in a DMA configuration viaDMA bus 370-3, or via any other suitable memory configuration. Asdiscussed in FIG. 2, memory 320 may include one or more logic elementsof any suitable type.

Storage 350 may be any species of memory 320, or may be a separatedevice, as described in connection with storage 250 of FIG. 2. Storage350 may be, or may include therein, a database or databases or datastored in other configurations, and may include a stored copy ofoperational software such as operating system 322 and software portionsof reputation server engine 324.

Network interface 360 may be provided to communicatively couple server140 to a wired or wireless network, and may include one or more logicelements as described in FIG. 2.

Reputation server engine 324 is an engine as described in FIG. 2 and, inone example, includes one or more logic elements operable to carry outcomputer-implemented methods as described in this specification.Software portions of reputation server engine 324 may run as a daemonprocess.

Reputation server engine 324 may include one or more non-transitorycomputer-readable mediums having stored thereon executable instructionsoperable to instruct a processor to provide a security agent. At anappropriate time, such as upon booting server 140 or upon a command fromoperating system 322 or a user 120 or security administrator 150,processor 310 may retrieve a copy of reputation server engine 324 (orsoftware portions thereof) from storage 350 and load it into memory 320.Processor 310 may then iteratively execute the instructions ofreputation server engine 324 to provide the desired method.

Peripheral interface 340 may be configured to interface with anyauxiliary device that connects to server 300 but that is not necessarilya part of the core architecture of server 300. Peripherals may include,by way of non-limiting examples, any of the peripherals disclosed inFIG. 2. In some cases, server 300 may include fewer peripherals thanclient device 200, reflecting that it may be more focused on providingprocessing services rather than interfacing directly with users. In oneexample, reputation server engine 324 is provided within or as afunction of ETIS 146.

A reputation client engine 326 may also be provided. Reputation clientengine 326 is an engine as described in this specification, and thedescription of reputation server engine 324 is, where relevant, equallyapplicable to reputation client engine 326. In an example, reputationclient engine 326 is provided within or as a function of EGW 144.

FIG. 4 is a flowchart of a generic method for handling reputationexpiry, particularly as it relates to cached entries. Specifically, EGW144 may retain cached reputations for URLs it encounters. Similarly,ETIS 146 may also cache reputations rather than querying GTIS 192 foreach URL that it encounters. Cached entries may have a built-in expiryso that they do not become stale.

In block 400, a time to live (TTL) for a cache entry expires.

In block 410, the entry is marked as expired.

In block 420, an asynchronous periodic garbage collection process scansreputation tables for expired entries.

In block 450, if expired entries are found, then in block 480, thoseentries are removed from cache. If no expired cache entries are found,then in block 490 there is nothing to do, and the process terminates.

FIGS. 5A and 5B are a flowchart of a reputation client engine 326handling reputations for URLs that it encounters.

In block 500, EGW 144 encounters the URL.

In block 510, EGW 144 checks to see whether there is a locally cachedreputation for that URL.

If there is, then in block 514, EGW 144 checks see whether the entry hasexpired. If it has not, then in block 520, EGW 144 updates the last usedtime in cache. The TTL does not change in this case.

Returning to block 514 and to block 510, if the block entry has expiredin if the cache entry has expired in block 514, or if there is nolocally cached reputation in block 510, then in block 530, MGW 144checks to see whether ETIS 146 is present.

If ETIS 146 is not present, then in block 532, EGW 144 may query G case192 for a global URL reputation.

Returning to block 530, if ETIS 146 is present, then in block 534, EGW142 queries ETIS 146 for a URL reputation.

Whether retrieved from ETIS 146 or GTIS 192, a new reputation entry hasbeen received. Thus, in block 540, EGW 144 adds or updates thereputation in its own internal cache.

In block 544, EGW 144 resets the last used time in cache and updates thereputation value.

Following off page connector 2, and turning to FIG. 5B, in block 550, inone example, the URL may have a status selected from one of threebroadly defined categories. Trusted (“white”) URLs are those that aretrusted to be beneficial for the enterprise. These should be allowedwithout any further interference. Untrusted (“black”) URLs are URLs thatare known to host bad content or to provide restricted information.Neutral (“gray”) URLs are URLs that have not yet been fullycharacterized, and thus have not been assigned a status as trusted oruntrusted.

If a URL is trusted, then in block 552, a TTL corresponding to thetrusted status is set. Ranges for TTL's are described in more detailbelow.

If the URL is untrusted, then in block 554, an untrusted TTL is set.

In block 560, if the URL has a gray or “unknown” status, then reputationclient engine 326 checks whether the URL is a known URL. If it is known,then in block 562, a TTL corresponding to known gray URLs is set.

If it is not known, then in block 564, a TTL corresponding to an unknowngray URLs is set.

The outputs of blocks 552, 554, 562, and 564, converge on decision block570.

In decision block 570, reputation client engine 326 determines whetherthe URL is frequently visited. If the URL is frequently visited, then inblock 574, the TTL is set to the higher end of the range for itsappropriate category.

If the URL is not frequently visited, then in block 572, the TTL is setto the lower end of its range.

In block 580, the new TTL value is updated within the cache.

In block 590, reputation client engine 326 returns the URL reputation.Following off page connector 1 back to FIG. 5A, in block 520 reputationclient engine 326 updates the last used time in cache. The TTL does notchange.

FIGS. 6A and 6B provide a flowchart of a method performed by areputation server engine 324 of in ETIS 146. In block 600, reputationengine 324 receives a URL reputation request.

In block 610, ETIS 146 checks whether a reputation for the URL ispresent in its local cache. If so, then in block 612, reputation serverengine 324 checks whether the entry has expired. If the entry has notexpired, then in block 620, reputation server engine 324 updates thelast used time in cache. The TTL does not change. Reputation serverengine 324 may then report the URL to the requesting device.

Returning to decision block 610, if the URL does not have a reputationpresent in the local cache, or in block 612, if the entry has expired,then in block 630, ETIS 146 queries GTIS 192 for a URL reputation. Inblock 632, ETIS 146 receives a response from GTIS 192 and adds andupdates the reputation in its local cache.

In block 640, reputation engine 324 resets the last used time in cacheand updates the reputation. Following off page connector 2 to FIG. 6B,in block 650, reputation engine 324 checks the URL status.

In block 650, in one example, the URL may have a status selected fromone of three broadly defined categories. Trusted (“white”) URLs arethose that are trusted to be beneficial for the enterprise. These shouldbe allowed without any further interference. Untrusted (“black”) URLsare URLs that are known to host bad content or to provide restrictedinformation. Neutral (“gray”) URLs are URLs that have not yet been fullycharacterized, and thus have not been assigned a status as trusted oruntrusted.

If a URL is trusted, then in block 652, a TTL corresponding to thetrusted status is set. Ranges for TTL's are described in more detailbelow.

If the URL is untrusted, then in block 654, an untrusted TTL is set.

In block 660, if the URL has a gray or “unknown” status, then reputationserver engine 324 checks whether the URL is a known URL. If it is known,then in block 662, a TTL corresponding to known gray URLs is set.

If it is not known, then in block 664, a TTL corresponding to an unknowngray URLs is set.

The outputs of blocks 652, 654, 662, and 664, converge on decision block670.

In decision block 670, reputation server engine 324 determines whetherthe URL is frequently visited. If the URL is frequently visited, then inblock 674, the TTL is set to the higher end of the range for itsappropriate category.

If the URL is not frequently visited, then in block 672, the TTL is setto the lower end of its range.

In block 680, the new TTL value is updated within the cache.

In block 690, reputation server engine 324 returns the URL reputation.

Following off page connector 1 back to FIG. 6A, in block 620 reputationserver engine 324 updates the last used time in cache. The TTL does notchange.

FIG. 7 is a flowchart of a reputation update workflow.

In block 700, reputation engine 324 begins a server reputation update.In decision block 720, reputation engine 324 determines whether the URLreputation has changed. If it has not, then in block 750 there isnothing to do.

If the reputation has changed, then in decision block 730, reputationengine 324 determines whether the URL reputation was requestedpreviously.

If not, then in block 770, there is nothing to do. However, if it wasrequested previously, then in block 780, reputation engine 324 may senda reputation change event, for example over an enterprise service bussuch as a data exchange layer (DXL), to EGW 144, as well as to clientdevices 110.

In block 790, reputation engine 324 adds or updates an entry in thegateway and host (client device) caches.

Note that according to the method of FIG. 7, reputation engine 324publishes a URL reputation on the DXL, so that EGW 144 does not need toexplicitly request a reputation every time encounters a URL. Rather, aslong as the reputation has not expired, EGW 144 may continue to use itscache reputation. Once the reputation expires, EGW 144 may check for anew published reputation, or may expressly requests a reputation for theURL from ETIS 146.

Caching URL reputations as described herein improves performance incertain embodiments. For efficiency and scale, a cache on the host(client) or EGW 144 may be provided in addition to the cache on ETIS 146itself. These two independent caches may help to minimize queriesdirected to ETIS 146 and those directed to GTIS 192.

In an embodiment, the caches have the following properties:

-   -   a. Each cache expires entries over periods of time that vary        with the classification of the URL as well as the local        prevalence of the URL.    -   b. Each cache only contains those entries that have been seen by        that product.    -   c. Each cache performs ‘lazy removal’ of the cache entries, as        necessary, i.e. an asynchronous garbage collection process        removes expired entries as required. The frequency of the        garbage collection process as well as the TTL ranges allocated        per classification may depend on the degree of use of the cache        and the load on the device. This frequency may also be made        customer configurable.    -   d. The gateway 142 cache may support the ability to perform a        bulk query for the top X (where X is a configurable number based        on the size of its cache) most prevalent URL reputations in the        local environment so that a potential cold-start impact of the        cache can be significantly reduced.    -   e. The cache may be persisted across reboots.    -   f. The maximum size of the cache may be configurable between        default and a customer configured size.

In an example, the timeout values in the cache are configured to allowthe most prevalent URL reputations to be retained for a 3-4 day periodat least to avoid a post-weekend rush when a significant number ofdevices come online again.

The host 110/gateway 144 cache may listen for any URL reputation changeevents on the DXL coming from ETIS 146 and update their cache entrieswith that information.

According to the method described herein, EGW 144 does not need todownload and persist a local database of URL reputations. Rather, if thevast majority of queries (for example, >95%) hit the local database,then the cache will provide similar value after the initial “cold start”period where the cache has to be built up initially.

The effectiveness of the local cache may be enhanced by cooperating withGTIS 192 for providing information on which portion of the URL wascacheable and which URLs are not to be cached. This may come in the formof GTIS 192 responding to a query with a tree showing all relevant URLs.Alternately, a response may includes the number of bytes of the URL thatcan be cached, if any.

In an embodiment, gateway 144 looks at the local cache first forinformation that has been populated from the ETIS 146 that includesadministrative overrides, reputation changes, etc. This cache may beupdated out-of-band with information over DXL from ETIS 146. It is alsopre-populated with the locally most prevalent URLs, with the number ofthese URLs depending on the size of the cache and the load on thegateway.

If no cache hits are found, EGW 144 may then look up the reputation in alocal database. If the local DB does not contain a relevant reputation,EGW 144 queries ETIS 146 if it is present. Otherwise, it may query GTIS192 via a REST API, for example.

In certain embodiments ETIS 146 publishes URL reputation change eventson the DXL for other host and gateway products to consume and updatetheir respective caches with this information. ETIS 146 may also supportbulk URL queries to reduce latency.

ETIS 146 may also support a query for the top X URLs (for example,X=1000). This value may be configurable. This may help to alleviate any“cold start”/cache flush issues. An administrator may also specify aminimum (floor) prevalence value that must be met before the URLs arereturned. This may result in fewer URLs being returned than the minimumnumber of reputations specified by the query.

In an example, the following data are stored in ETIS 146:

TABLE 1 URL Reputation Storage Category Desired fields Description Whento store Stripped URL (The For privacy reasons, strip Whenever a URL URLis stored in its params and auth. Only object is stored component parts,Scheme, Domain and Path. (the portions FQDN and entire Configurable fromEGW. that will be URL) stored and duration of storage are describedbelow). URL Web Reputation The Reputation Score Whenever a URL Scoreobject is stored URL Category The category for the URL Whenever a URLobject is stored HTTP Referrer Whenever a URL object is stored and datais available HTTP User-Agent ex: “Mozilla/4.0 (compatible; Whenever aURL MSIE 7.0; Windows NT 6.0)” object is stored and data is availableDestination IPv4 or Whenever a URL IPv6 object is stored and data isavailable Root File Name If file is a member of an When an archivearchive, Root File Name file is contains the archive file name.downloaded from a URL (must be stored with the URL) File Name If memberof an archive, this When a file is is the member file name downloadedincluding archive path, else it from a URL is just the name of the file.(must be stored with the URL) MD5 of Root File Empty if not an archiveWhen a non- Body format. archive file is downloaded from a URL (must bestored with the URL) MD5 of the File Body If root is an archive, this isthe When an archive MD5 of an embedded file is member file, else it isthe MD5 downloaded hash of the downloaded file. from a URL (must bestored with the URL) SHA-1 of the Root Empty if not an archive When anon- File Body format. archive file is downloaded from a URL (must bestored with the URL) SHA-1 of File Body If root is an archive, this isthe When an archive SHA-1 of an embedded file is member file, else it isthe SHA- downloaded 1 hash of the downloaded file. from a URL (must bestored with the URL) SHA-256 of the Root Empty if not an archive When anon- File Body format. archive file is downloaded from a URL (must bestored with the URL) SHA-256 of File Body If root is an archive, this isthe When an archive SHA-256 of an embedded file is member file, else itis the SHA- downloaded 256 hash of the downloaded from a URL file. (mustbe stored with the URL) CRC32 of Announced Content-Type from Server,like When available Media Type image/jpeg CRC32 of Detected Actual FileType determined, When available Media Type like application/executable,text/html, . . . MD5 of the File Body This is the hash of the file thatWhen a file (non- was connecting to the browser) is URL/domain.attempting to connect to a URL. Detection Names ex: When available“BehavesLike.Win32.Sality.dr”, or “TR/Agent.HF.30” (3rd- party needsLegal check). Detection Scores 0 (clean) . . . 100 (malicious) Whenavailable Detection GAM, 3rdParty, DLP, . . . When available ComponentsDetection ex: 7654 When available Components DAT Version Product Versionex: “MWG 7.5.0” When available Enterprise Client IP Address of InternalOnly when Machine Identifier Endpoint associated with a downloaded fileEnterprise Client Username of person logged Only when User Identifierinto endpoint associated with a downloaded file SHA-1 hash of the ForHTTPS URLs, public key of the SSL when available. certificatecorresponding to domain SHA-1 hash of the For HTTPS URLs, public key ofthe when available. parent certificate of the SSL certificatecorresponding to domain Destination SSL ex: Valid, Trusted, Self-Signed,For HTTPS URLs, Certificate Expired, . . . when available. verificationresult

In an example, the complete URL is stored only for a short time(depending on the caching policy, which may vary based on classificationand current load on ETIS 146) for the express purpose of caching thereputation for frequently queried objects. Longer term storage forcomplete URLs may only be necessary for administrative overrides,storing URL classification results from other products, and when a filehas been downloaded from a specific URL. Outside of that, onlysub-domain level data may need be stored for the express purpose ofmaintaining a local prevalence value for URL sub-domains. In an example,the TTL for sub-domain data does not exceed 90 days. This TTL may beconfigurable on ETIS 146.

Security administrator 150 may be able to set a reputation on a Domain,Sub-Domain, or URL level, by way of nonlimiting example. These may beresolved in order of specificity from most specific to least specific.Overrides may support wild carding, with (in one example) ‘*’ resolvingwithin a slash ‘/’, and ‘**’ resolving across slashes. The userinterface may hide any complexities arising from this wild-carding toavoid confusion.

In an example, reputation values may qualitatively include thefollowing:

-   -   a. Known trusted    -   b. Most likely trusted    -   c. Unknown (effectively blocking reputation for this URL)    -   d. Most likely malicious    -   e. Known malicious

In example use case:

-   -   a. Administrator 150 sets a known trusted reputation for        example.com. All queries to example.com will resolve as known        trusted.    -   b. Administrator sets a most likely malicious reputation for        example.com/someurl/*. All queries to www.example.com/someurl/*        will resolve as most likely malicious.    -   c. Considering both of the reputations above together,        www.example.com/someotherurl/ will resolve as known trusted and        www.somecompany.com/someurl/ will resolve as most likely        malicious.

The administrator may also be able to set an SSL certificate reputationto one of the following values:

-   -   a. Known trusted    -   b. Most likely trusted    -   c. Unknown    -   d. Most likely malicious    -   e. Known malicious

In an example use case:

-   -   a. Administrator 150 sets an SSL certificate to known trusted.        If a reputation consumer (such as EGW 144 or client 110) queries        the URL, it will get the Administrator SSL certificate        reputation in addition to the URL reputation. In the case of an        unknown or weak URL reputation, the reputation consumer can        trust the URL based on the SSL certificate.    -   b. Administrator 150 sets an SSL certificate to known malicious.        If a reputation consumer queries the URL, it will get the        Administrator SSL certificate reputation in addition to the URL        reputation. In the case of an unknown or weak URL reputation,        the reputation consumer can block the URL based on the SSL        certificate.

In an example, when a reputation consumer queries a URL reputation fromETIS 146, the DXL message includes the following, by way of nonlimitingexample:

-   -   a. Fully qualified URL (protocol, domain, path, etc)    -   b. SSL certificate for URL (if available)    -   c. File hash requesting the URL (if available)    -   d. File being downloaded from the URL (if available)    -   e. Referrer (if available)

ETIS 146 may respond with a list of URL reputations and categories. ETIS146 may store and calculate these values if it is caching thereputation.

In an example, GTIS 192 provides scalar reputation mapping (0-100). Thismay represent the trust score for the reputation provider reported byETIS 146. Mappings are provided below. Other data may include:

-   -   a. Original GTIS URL reputation response (+/−127)    -   b. GTIS URL category.    -   c. GTIS URL GEO. This may only be available if the IP address is        included in the request, or if it has been cached on ETIS 146.    -   d. GTIS Domain reputation. This may be different from the URL        reputation.    -   e. GTIS URL Flags. This may be an unsigned 32 bit integer bit        mask. This is currently used to indicate McAfee Secure. It is        reported as reputation attribute JCM_ITEM_ID_GTI_URL_FLAGS.

Enterprise URL reputations may also be provided as a scalar score(0-100). This may be configured by security administrator 150. Otherdata may include:

-   -   a. Enterprise URL Subdomain first seen. This is the date that        the URL's subdomain was first seen in the enterprise (EPOCH).    -   b. Enterprise URL Subdomain query count. This is the query count        on the URLs subdomain    -   c. Reputation aggregate for files downloaded from this URL (min,        max, avg, count, last). This may be updated if a file reputation        changes. In on embodiment, it is expected that the number of        URLs with file associations will be low compared to the total        number of URLs.    -   d. URL Referrers initial reputation aggregate (min, max, avg,        count, last). Note that referrer reputation URL does not require        updating after initial calculation.

In addition, if the original query included a certificate, the DXLmessage response may provide the certificate reputation:

-   -   a. GTI SSL Certificate reputation (if available). This is the        0-100 scoring of a reputation trust score. ETIS 146 may query        the certificate reputation if it does not currently have it.    -   b. Enterprise SSL Certificate reputation (if available). This is        the 0-100 scoring of a reputation trust score. If it is not set,        return 0.

In an example, a reputation query and randomized asynchronous reputationqueries may contain the following fields:

-   -   a. ETIS Product Info    -   b. Client Product Info    -   c. URL query info        -   i. Fully qualified URL (protocol, domain, path, etc)        -   ii. SSL certificate for URL (if available)        -   iii. File hash requesting the URL (if available)        -   iv. File being downloaded from the URL (if available)        -   v. Referrer (if available)    -   d. Enterprise URL reputation data        -   i. Enterprise URL first seen        -   ii. Enterprise URL query count        -   iii. Number of files downloaded from this URL        -   iv. Number of referrers for this URL        -   v. Average reputation of files communicating with this URL.        -   vi. Average reputation of referrers

Any cached URL reputation which is being re-queried may include thefollowing data.

-   -   a. ETIS Product Info    -   b. URL query info        -   i. Fully qualified URL (protocol, domain, path, etc)        -   ii. SSL certificate for URL (if available)    -   c. Enterprise URL reputation data        -   i. Enterprise URL first seen        -   ii. Enterprise URL query count        -   iii. Number of files downloaded from this URL        -   iv. Number of referrers for this URL        -   v. Average reputation of referrers        -   vi. Enterprise override match        -   vii. Enterprise override reputation

The URL reputation from GTIS 192 may provide a +/−127 reputation score.This may then be mapped to a reputation score that can be returned bythe ETIS. Equivalencies may include the following:

-   -   a. −127=100    -   b. −126=99 (known trusted)    -   c. −125-−21=85->98 (most likely trusted)    -   d. −20-14=70->84 (might be trusted)    -   e. 16-22=50-69 (known unknown)    -   f. 15=0 (not set/unknown unknown)    -   g. 23-29=31-49 (known unknown)    -   h. 30-49=16-30 (might be malicious)    -   i. 50-126=2-15 (most likely malicious)    -   j. 127=1 (malicious)

AS described above, ETIS 146 may maintain a TTL for URL reputations andkeep the GTIS-supplied reputation up to date. Examples of ETIS TTLsinclude the following:

Reputation Reputation TTL Ranges (hours) Known Trusted 72-96 Most LikelyTrusted 48-96 Might be Trusted 24-72 Known Unknown 12-36 Unknown Unknown 1-12 Might be Malicious 12-36 Most Likely Malicious 24-48 KnownMalicious 36-50

Specific values within these ranges may be selected based on localprevalence (higher prevalence=higher range of timeout). It is possibleto have an accelerated expiry (this expiry will still follow the orderof precedence based on the least TTL expiring first) of these entriesdepending on the load on the system. Also, the exceptions noted in theURL storage section will apply.

If a URL reputation changes, a reputation change notification may besent, for example over DXL. If a URL reputation changes and that URL isassociated to a file, and the aggregate attributes for the filereputation change, then a reputation change notification should be sentfor that file if it does not have a GTI reputation of known trusted oran enterprise reputation set.

In an example, ETIS 146 supports taking IOCs as inputs and correlatesthe URL data present with the data in the IoC (for example, thefile->URL, URL->file and URL&file->device relations).

ETIS 146 may also be to query third-party tools for URLs, store theresulting reputation data, and make these available to productsintegrating with ETIS 146 as well as to administrators forvisualization.

The foregoing outlines features of several embodiments so that thoseskilled in the art may better understand the aspects of the presentdisclosure. Those skilled in the art should appreciate that they mayreadily use the present disclosure as a basis for designing or modifyingother processes and structures for carrying out the same purposes and/orachieving the same advantages of the embodiments introduced herein.Those skilled in the art should also realize that such equivalentconstructions do not depart from the spirit and scope of the presentdisclosure, and that they may make various changes, substitutions, andalterations herein without departing from the spirit and scope of thepresent disclosure.

The particular embodiments of the present disclosure may readily includea system on chip (SOC) central processing unit (CPU) package. An SOCrepresents an integrated circuit (IC) that integrates components of acomputer or other electronic system into a single chip. It may containdigital, analog, mixed-signal, and radio frequency functions: all ofwhich may be provided on a single chip substrate. Other embodiments mayinclude a multi-chip-module (MCM), with a plurality of chips locatedwithin a single electronic package and configured to interact closelywith each other through the electronic package. In various otherembodiments, the digital signal processing functionalities may beimplemented in one or more silicon cores in Application SpecificIntegrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs), andother semiconductor chips.

Additionally, some of the components associated with describedmicroprocessors may be removed, or otherwise consolidated. In a generalsense, the arrangements depicted in the figures may be more logical intheir representations, whereas a physical architecture may includevarious permutations, combinations, and/or hybrids of these elements. Itis imperative to note that countless possible design configurations canbe used to achieve the operational objectives outlined herein.Accordingly, the associated infrastructure has a myriad of substitutearrangements, design choices, device possibilities, hardwareconfigurations, software implementations, equipment options, etc.

Any suitably-configured processor component can execute any type ofinstructions associated with the data to achieve the operations detailedherein. Any processor disclosed herein could transform an element or anarticle (for example, data) from one state or thing to another state orthing. In another example, some activities outlined herein may beimplemented with fixed logic or programmable logic (for example,software and/or computer instructions executed by a processor) and theelements identified herein could be some type of a programmableprocessor, programmable digital logic (for example, a field programmablegate array (FPGA), an erasable programmable read only memory (EPROM), anelectrically erasable programmable read only memory (EEPROM)), an ASICthat includes digital logic, software, code, electronic instructions,flash memory, optical disks, CD-ROMs, DVD ROMs, magnetic or opticalcards, other types of machine-readable mediums suitable for storingelectronic instructions, or any suitable combination thereof. Inoperation, processors may store information in any suitable type ofnon-transitory storage medium (for example, random access memory (RAM),read only memory (ROM), field programmable gate array (FPGA), erasableprogrammable read only memory (EPROM), electrically erasableprogrammable ROM (EEPROM), etc.), software, hardware, or in any othersuitable component, device, element, or object where appropriate andbased on particular needs. Further, the information being tracked, sent,received, or stored in a processor could be provided in any database,register, table, cache, queue, control list, or storage structure, basedon particular needs and implementations, all of which could bereferenced in any suitable timeframe. Any of the memory items discussedherein should be construed as being encompassed within the broad term‘memory.’

Computer program logic implementing all or part of the functionalitydescribed herein is embodied in various forms, including, but in no waylimited to, a source code form, a computer executable form, and variousintermediate forms (for example, forms generated by an assembler,compiler, linker, or locator). In an example, source code includes aseries of computer program instructions implemented in variousprogramming languages, such as an object code, an assembly language, ora high-level language such as OpenCL, Fortran, C, C++, JAVA, or HTML foruse with various operating systems or operating environments. The sourcecode may define and use various data structures and communicationmessages. The source code may be in a computer executable form (e.g.,via an interpreter), or the source code may be converted (e.g., via atranslator, assembler, or compiler) into a computer executable form.

In one example embodiment, any number of electrical circuits of theFIGURES may be implemented on a board of an associated electronicdevice. The board can be a general circuit board that can hold variouscomponents of the internal electronic system of the electronic deviceand, further, provide connectors for other peripherals. Morespecifically, the board can provide the electrical connections by whichthe other components of the system can communicate electrically. Anysuitable processors (inclusive of digital signal processors,microprocessors, supporting chipsets, etc.), memory elements, etc. canbe suitably coupled to the board based on particular configurationneeds, processing demands, computer designs, etc. Other components suchas external storage, additional sensors, controllers for audio/videodisplay, and peripheral devices may be attached to the board as plug-incards, via cables, or integrated into the board itself. In anotherexample embodiment, the electrical circuits of the FIGURES may beimplemented as stand-alone modules (e.g., a device with associatedcomponents and circuitry configured to perform a specific application orfunction) or implemented as plug-in modules into application specifichardware of electronic devices.

Note that with the numerous examples provided herein, interaction may bedescribed in terms of two, three, four, or more electrical components.However, this has been done for purposes of clarity and example only. Itshould be appreciated that the system can be consolidated in anysuitable manner. Along similar design alternatives, any of theillustrated components, modules, and elements of the FIGURES may becombined in various possible configurations, all of which are clearlywithin the broad scope of this specification. In certain cases, it maybe easier to describe one or more of the functionalities of a given setof flows by only referencing a limited number of electrical elements. Itshould be appreciated that the electrical circuits of the FIGURES andits teachings are readily scalable and can accommodate a large number ofcomponents, as well as more complicated/sophisticated arrangements andconfigurations. Accordingly, the examples provided should not limit thescope or inhibit the broad teachings of the electrical circuits aspotentially applied to a myriad of other architectures.

Numerous other changes, substitutions, variations, alterations, andmodifications may be ascertained to one skilled in the art and it isintended that the present disclosure encompass all such changes,substitutions, variations, alterations, and modifications as fallingwithin the scope of the appended claims. In order to assist the UnitedStates Patent and Trademark Office (USPTO) and, additionally, anyreaders of any patent issued on this application in interpreting theclaims appended hereto, Applicant wishes to note that the Applicant: (a)does not intend any of the appended claims to invoke paragraph six (6)of 35 U.S.C. section 112 (pre-AIA) or paragraph (f) of the same section(poast-AIA), as it exists on the date of the filing hereof unless thewords “means for” or “steps for” are specifically used in the particularclaims; and (b) does not intend, by any statement in the specification,to limit this disclosure in any way that is not otherwise reflected inthe appended claims.

Example Implementations

There is disclosed in one example, a computing apparatus configured tooperate as an enterprise threat intelligence server, comprising: anetwork interface for configured to communicatively couple to a network;and one or more logic elements comprising a reputation engine, operablefor: receiving a first uniform resource locator (URL) identifier;determining that a first URL identified by the first URL identifier hasan unknown enterprise reputation; and establishing a baseline reputationfor the URL.

There is further disclosed an example wherein establishing the baselinereputation comprises querying a global threat intelligence server for aglobal reputation of the first URL.

There is further disclosed an example wherein the reputation engine isfurther operable for: receiving a response from the external threatintelligence server that the first URL has an unknown global reputation;and assigning the first URL a reputation as suspicious.

There is further disclosed an example wherein the reputation engine isfurther operable for: receiving a response from the global threatintelligence server that the the first URL has a known globalreputation; and generating an enterprise reputation for the first URLbased at least in part on the known global reputation.

There is further disclosed an example wherein the reputation engine isfurther operable for querying an enterprise gateway for informationabout the first URL, and for generating an enterprise reputation for thefirst URL based at least in part on the information about the first URL.

There is further disclosed an example wherein the reputation engine isfurther operable for submitting the first URL for sandbox analysis,receiving sandbox analysis results, and generating an enterprisereputation for the first URL based at least in part on the sandboxanalysis.

There is further disclosed an example wherein the reputation comprises asecond URL identifier, an age, a reputation, prevelance, and metadata.

There is further disclosed an example wherein the second URL identifierincludes the first URL itself or a hash of the first URL.

There is further disclosed an example wherein the reputation engine isfurther operable for: determining that the URL has an existingenterprise reputation; and acting on the existing enterprise reputation.

There is further disclosed an example wherein the reputation engine isfurther operable for: determining that a network object with a knownreputation has an association with the first URL; and assigning thefirst URL a reputation based at least in part on the known reputation ofthe network object.

There is further disclosed an example wherein assigning the first URL areputation based at least in part on the known reputation of the networkobject comprises: determining that the known reputation of the networkobject is an untrusted reputation; determining that the URL has lowprevelance within the enterprise; and assigning the URL an untrustedreputation.

There is further disclosed an example wherein determining that a networkobject with a known reputation has an association with the first URLcomprises determining that the network object was received from thefirst URL.

There is further disclosed an example wherein determining that a networkobject with a known reputation has an association with the first URLcomprises determining that the network object contacts the first URL.

There is further disclosed an example of one or more tangible,non-transitory computer-readable storage mediums having stored thereonexecutable instructions for instructing one or more processors forproviding a reputation engine operable for performing any or all of theoperations of the preceding examples.

There is further disclosed an example of a method of providing areputation engine comprising performing any or all of the operations ofthe preceding examples.

There is further disclosed an example of an apparatus comprising meansfor performing the method.

There is further disclosed an example wherein the means comprise aprocessor and a memory.

There is further disclosed an example wherein the means comprise one ormore tangible, non-transitory computer-readable storage mediums.

There is further disclosed an example wherein the apparatus is acomputing device.

What is claimed is:
 1. A computing apparatus configured to operate as anenterprise threat intelligence server, comprising: a network interfacefor configured to communicatively couple to a network; and one or morelogic elements comprising a reputation engine, operable for: receiving afirst uniform resource locator (URL) identifier; determining that afirst URL identified by the first URL identifier has an unknownenterprise reputation; and establishing a baseline reputation for theURL.
 2. The computing apparatus of claim 1, wherein establishing thebaseline reputation comprises querying a global threat intelligenceserver for a global reputation of the first URL.
 3. The computingapparatus of claim 2, wherein the reputation engine is further operablefor: receiving a response from the external threat intelligence serverthat the first URL has an unknown global reputation; and assigning thefirst URL a reputation as suspicious.
 4. The computing apparatus ofclaim 2, wherein the reputation engine is further operable for:receiving a response from the global threat intelligence server that thethe first URL has a known global reputation; and generating anenterprise reputation for the first URL based at least in part on theknown global reputation.
 5. The computing apparatus of claim 1, whereinthe reputation engine is further operable for querying an enterprisegateway for information about the first URL, and for generating anenterprise reputation for the first URL based at least in part on theinformation about the first URL.
 6. The computing apparatus of claim 1,wherein the reputation engine is further operable for submitting thefirst URL for sandbox analysis, receiving sandbox analysis results, andgenerating an enterprise reputation for the first URL based at least inpart on the sandbox analysis.
 7. The computing apparatus of claim 1,wherein the reputation comprises a second URL identifier, an age, areputation, prevelance, and metadata.
 8. The computing apparatus ofclaim 6, wherein the second URL identifier includes the first URL itselfor a hash of the first URL.
 9. The computing apparatus of claim 1,wherein the reputation engine is further operable for: determining thatthe URL has an existing enterprise reputation; and acting on theexisting enterprise reputation.
 10. The computing apparatus of claim 1,wherein the reputation engine is further operable for: determining thata network object with a known reputation has an association with thefirst URL; and assigning the first URL a reputation based at least inpart on the known reputation of the network object.
 11. The computingapparatus of claim 10, wherein assigning the first URL a reputationbased at least in part on the known reputation of the network objectcomprises: determining that the known reputation of the network objectis an untrusted reputation; determining that the URL has low prevelancewithin the enterprise; and assigning the URL an untrusted reputation.12. The computing apparatus of claim 10, wherein determining that anetwork object with a known reputation has an association with the firstURL comprises determining that the network object was received from thefirst URL.
 13. The computing apparatus of claim 10, wherein determiningthat a network object with a known reputation has an association withthe first URL comprises determining that the network object contacts thefirst URL.
 14. One or more tangible, non-transitory computer-readablestorage mediums having stored thereon executable instructions forproviding a reputation engine operable for: receiving a first uniformresource locator (URL) identifier; determining that a first URLidentified by the first URL identifier has an unknown enterprisereputation; and establishing a baseline reputation for the URL.
 15. Theone or more tangible, non-transitory computer-readable mediums of claim14, wherein establishing the baseline reputation comprises querying aglobal threat intelligence server for a global reputation of the firstURL.
 16. The one or more tangible, non-transitory computer-readablemediums of claim 15, wherein the reputation engine is further operablefor: receiving a response from the external threat intelligence serverthat the first URL has an unknown global reputation; and assigning thefirst URL a reputation as suspicious.
 17. The one or more tangible,non-transitory computer-readable mediums of claim 15, wherein thereputation engine is further operable for: receiving a response from theglobal threat intelligence server that the the first URL has a knownglobal reputation; and generating an enterprise reputation for the firstURL based at least in part on the known global reputation.
 18. The oneor more tangible, non-transitory computer-readable mediums of claim 14,wherein the reputation engine is further operable for querying anenterprise gateway for information about the first URL, and forgenerating an enterprise reputation for the first URL based at least inpart on the information about the first URL.
 19. The one or moretangible, non-transitory computer-readable mediums of claim 14, whereinthe reputation engine is further operable for submitting the first URLfor sandbox analysis, receiving sandbox analysis results, and generatingan enterprise reputation for the first URL based at least in part on thesandbox analysis.
 20. The one or more tangible, non-transitorycomputer-readable mediums of claim 14, wherein the reputation engine isfurther operable for: determining that the URL has an existingenterprise reputation; and acting on the existing enterprise reputation.21. The one or more tangible, non-transitory computer-readable mediumsof claim 14, wherein the reputation engine is further operable for:determining that a network object with a known reputation has anassociation with the first URL; and assigning the first URL a reputationbased at least in part on the known reputation of the network object.22. The one or more tangible, non-transitory computer-readable mediumsof claim 14, wherein assigning the first URL a reputation based at leastin part on the known reputation of the network object comprises:determining that the known reputation of the network object is anuntrusted reputation; determining that the URL has low prevelance withinthe enterprise; and assigning the URL an untrusted reputation.
 23. Theone or more tangible, non-transitory computer-readable mediums of claim14, wherein determining that a network object with a known reputationhas an association with the first URL comprises determining that thenetwork object was received from the first URL or contacts the firstURL.
 24. A computer-implemented method of providing a reputation engineoperable for: receiving a first uniform resource locator (URL)identifier; determining that a first URL identified by the first URLidentifier has an unknown enterprise reputation; and establishing abaseline reputation for the URL.
 25. The computer-implemented method ofclaim 24, wherein establishing the baseline reputation comprisesquerying a global threat intelligence server for a global reputation ofthe first URL.